Summary & Key Actions Required
Following our investigations, we have concluded that this component is NOT exploitable in its current configuration within Avantra software.
Key Actions Required
- For the majority of customers, no action is required
- We do not believe that this component is exploitable in its current configuration within Avantra software however customers that are concerned about this CVE should upgrade to Avantra 23.0.3 or later.
- Patched components that mitigate this CVE are included in Avantra 23.0.3 or higher.
After completing our analysis of CVE-2022-31692 which we became aware of on 3rd November 2022 and currently has a CVSS score of 9.8 and impacts the software component Spring Security Versions 5.6.0 - 5.6.8 and 5.7.0 - 5.7.4, we have concluded that the component in question is not exploitable in its current state within Avantra software and so no action is required by Avantra software users at this time.
Related security articles:
CVE-2022-31692 Summary
Please see this article for more information:
https://nvd.nist.gov/vuln/detail/CVE-2022-31692
Impact to Avantra
We have completed our investigations and analysis around this CVE and we believe it is not exploitable within Avantra software today. We will update this article if any of our findings or recommendations change in the future.
Impact on our customers
At present, there is no impact on Avantra customers. For customers concerned about this CVE, we advise updating to Avantra 23.0.3 or higher.
Change Log
31st Mar 2023 @ 14:00 CET | Updated with 23.0.3 release details |
4th Nov 2022 @ 14:00 CET | Analysis completed and findings published |
3rd Nov 2022 @ 10:00 CET | Initial Notice Published |
We, at Avantra, take the security of our software and our customers very seriously and it is our top priority. We will keep you up to date as more information becomes available and encourage customers to subscribe to the security section of our forum to get proactive updates as we post them.